forked from wortell/KQL
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathKQL_win_plugx_susp_exe_locations.txt
1 lines (1 loc) · 3.41 KB
/
KQL_win_plugx_susp_exe_locations.txt
1
SecurityEvent | where EventID == "4688" | where ((((((((((((Image endswith "\\CamMute.exe" and not (Image contains "\\Lenovo\\Communication Utility\\")) or (Image endswith "\\chrome_frame_helper.exe" and not (Image contains "\\Google\\Chrome\\application\\"))) or (Image endswith "\\dvcemumanager.exe" and not (Image contains "\\Microsoft Device Emulator\\"))) or (Image endswith "\\Gadget.exe" and not (Image contains "\\Windows Media Player\\"))) or (Image endswith "\\hcc.exe" and not (Image contains "\\HTML Help Workshop\\"))) or (Image endswith "\\hkcmd.exe" and not (Image contains "\\System32\\" or Image contains "\\SysNative\\" or Image contains "\\SysWowo64\\"))) or (Image endswith "\\Mc.exe" and not (Image contains "\\Microsoft Visual Studio" or Image contains "\\Microsoft SDK" or Image contains "\\Windows Kit"))) or (Image endswith "\\MsMpEng.exe" and not (Image contains "\\Microsoft Security Client\\" or Image contains "\\Windows Defender\\" or Image contains "\\AntiMalware\\"))) or (Image endswith "\\msseces.exe" and not (Image contains "\\Microsoft Security Center\\" or Image contains "\\Microsoft Security Client\\" or Image contains "\\Microsoft Security Essentials\\"))) or (Image endswith "\\OInfoP11.exe" and not (Image contains "\\Common Files\\Microsoft Shared\\"))) or (Image endswith "\\OleView.exe" and not (Image contains "\\Microsoft Visual Studio" or Image contains "\\Microsoft SDK" or Image contains "\\Windows Kit" or Image contains "\\Windows Resource Kit\\"))) or (Image endswith "\\rc.exe" and not (Image contains "\\Microsoft Visual Studio" or Image contains "\\Microsoft SDK" or Image contains "\\Windows Kit" or Image contains "\\Windows Resource Kit\\" or Image contains "\\Microsoft.NET\\")))